ThinkPHP cleverly hides the backend with routing rules to make your site more secure

Takeaway:

As we all know, if the thinkPHP framework of the background module named admin, you can directly use http://domain name /admin to access the administrator background, this access is very convenient, but there are also great security risks, hackers are very easy to guess your background, and then brute force cracking background. So what’s the solution to this problem? Let’s discuss how to use routing rules to modify the background path and prevent hackers from knowing our background entrance. There are a lot of hidden background admin tutorials online, but really good, or this routing rule method.

The first step, background add can modify the background module name Settings parameters

1.

2. Save the key code of the Settings as follows:

if(request()->isPost()) {
	$data=input('post.');
	// Get all module names of the system
	$system_module = [];
	foreach (scandir(APP_PATH) as $dir) {
		if($dir= ='. ' || $dir= ='.. ') {
			continue;
		}
		if(is_dir(APP_PATH.$dir)) {
			array_push($system_module.$dir); }}foreach ($data as $key= >$vo) {
		if($key= ='admin_module' && $vo! ='admin' && in_array($vo.$system_module)) {
			$this->error('Background address cannot be the same as existing system module name'); }}}Copy the code

Matters needing attention:

• Admin_module is the key that holds the name of the background module in my database
• APP_PATH is a constant in Version 5.0 of ThinkPHP5.0, please change it yourself.

PHP/application/common.php

1. The main structure of the config data table is as follows:

DROP TABLE IF EXISTS `config`;
CREATE TABLE `config` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `key` varchar(255) DEFAULT NULL,
  `val` text,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
Copy the code

Select * from sysconfig($name)

      
use think\Cache;
use app\common\model\Config;

/** * Gets or sets system parameters *@paramString $name Parameter name *@return string
 */
function sysconfig($name) {
	$config = Cache::get('config');
    if (empty($config)) {
        $config = Config::column('key,val');
		Cache::set('config'.$config.1800);// Cache for 30 minutes
    }
    return isset($config[$name])?$config[$name] : ' ';
}
Copy the code

Supplement:

1. If you are using a personal system, you can add the following configuration directly to the config.

return [
    // +----------------------------------------------------------------------
    / / | application Settings
    // +----------------------------------------------------------------------
	// Background module name
    'admin_module'= >'myadmin',]Copy the code

2. Then call the project directly:

$admin_module = Config('admin_module');
Copy the code

 

Application /route.php

      
use think\route;

$route_config = [
	'index'= >'index/index',];//1. Obtain background modules
$admin_module = sysconfig('admin_module');
if ($admin_module= =' ') {
    $admin_module = 'admin';
}
//2. Configure the background route
if ($admin_module! ='admin') {
    $admin_route_config = [
		// Route ban: the principle is to point it to the non-login address, in the case of no login, jump to 404 page;
		'admin/$'= >'admin/login/jump'.'admin/login$'= >'admin/login/jump'.'admin/login/index'= >'admin/login/jump'.$admin_module . '/ $'= >'admin/login/index',];$route_config = array_merge($route_config.$admin_route_config);
}
return $route_config;
Copy the code

4. Add the jump() method to the Login controller login.php

1. This jump() method is actually the specified method for disallowing routes in step 3

public function jump() {
	if(! Session::has('uid')) {
		$request = Request::instance();
		if(sysconfig('admin_module') = ='admin' || sysconfig('admin_module') = =' ') {
			$this->redirect('@admin/login/index');
		} else {
			header("HTTP / 1.1 404 Not Found");
			return $this->fetch(APP_PATH.'/404.html'); }}else {
		$this->redirect('@admin/index/index'); }}Copy the code

Jump (); jump(); jump(); jump(); jump()

3. Put the 404. HTML page into the application directory with the following code:

<! DOCTYPEhtml PUBLIC "- / / / / W3C DTD XHTML 1.0 Transitional / / EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sorry, this page can not be found temporarily!</title>

<style type="text/css">
body {margin: 0px; padding:0px; font-family:Microsoft Yahei, Arial, "Trebuchet MS", Verdana, Georgia,Baskerville,Palatino,Times; font-size:16px; }div{margin-left:auto; margin-right:auto; }a {text-decoration: none; color: #1064A0; }a:hover {color: #0078D2; }img { border:none; }
h1.h2.h3.h4 {
/* display:block; * /
	margin:0;
	font-weight:normal; 
	font-family: Microsoft Yahei, Arial, "Trebuchet MS", Helvetica, Verdana ; 
}
h1{font-size:44px; color:#0188DE; padding:20px 0px 10px 0px; }h2{color:#0188DE; font-size:16px; padding:10px 0px 40px 0px; }#page{width:910px; padding:20px 20px 40px 20px; margin-top:80px; }.button{width:180px; height:28px; margin-left:0px; margin-top:10px; background:#009CFF; border-bottom:4px solid #0188DE; text-align:center; }.button a{width:180px; height:28px; display:block; font-size:14px; color:#fff; }
.button a:hover{ background:#5BBFFF; }</style>

</head>
<body>

<div id="page" style="border-style:dashed; border-color:#e4e4e4; line-height:30px;">
	<h1>Sorry, this page cannot be found</h1>
	<h2>Sorry, the page you're trying to find has moved. </h2>
	<font color="# 666666">You requested to visit the page, temporarily can not find!</font><br /><br />
	<div class="button">
		<a href="javascript:;" onClick="javascript :history.back(-1);" title="Return to previous page">Return to previous page</a>
	</div>
</div>

</body>
</html>
Copy the code

4. Exit the login method

public function logout() {
	if(Session::has('adminid')) {
		Session::delete('adminid');
	}
	$this->redirect(url(The '@'.sysconfig('admin_module')));
}
Copy the code